Skip to main content

Linux Kernel CVE-2026-46202

| EUVDEUVD-2026-32829 MEDIUM
2026-05-28 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-w4g4-gf2v-88rm
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 10, 2026 - 17:27 vuln.today
CVSS changed
Jun 10, 2026 - 17:22 NVD
5.5 (MEDIUM)
Patch available
May 28, 2026 - 12:01 EUVD
CVE Published
May 28, 2026 - 10:16 nvd
MEDIUM 5.5
CVE Published
May 28, 2026 - 10:16 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

HID: appletb-kbd: run inactivity autodim from workqueues

The autodim code in hid-appletb-kbd takes backlight_device->ops_lock via backlight_device_set_brightness() -> mutex_lock() from two different atomic contexts:

  • appletb_inactivity_timer() is a struct timer_list callback, so it

runs in softirq context. Every expiry triggers

BUG: sleeping function called from invalid context at kernel/locking/mutex.c:591 Call Trace: <IRQ> __might_resched __mutex_lock backlight_device_set_brightness appletb_inactivity_timer call_timer_fn run_timer_softirq

  • reset_inactivity_timer() is called from appletb_kbd_hid_event() and

appletb_kbd_inp_event(). On real USB hardware these run in softirq/IRQ context (URB completion and input-event dispatch). When the Touch Bar has already been dimmed or turned off, the reset path calls backlight_device_set_brightness() directly to restore brightness, producing the same warning.

Both call sites hit the same mutex_lock()-from-atomic bug. Fix them together by moving the blocking work onto the system workqueue:

  • Convert the inactivity timer from struct timer_list to

struct delayed_work; the callback (appletb_inactivity_work) now runs in process context where mutex_lock() is legal.

  • Add a dedicated struct work_struct restore_brightness_work and have

reset_inactivity_timer() schedule it instead of calling backlight_device_set_brightness() directly.

Cancel both works synchronously during driver tear-down alongside the existing backlight reference drop.

The semantics are unchanged (same delays, same state transitions on dim, turn-off and user activity); only the execution context of the sleeping call changes. The timer field and callback are renamed to match their new type; reset_inactivity_timer() keeps its name because it is invoked from input event paths that read naturally as "reset the inactivity timer".

AnalysisAI

Kernel crash (denial of service) in the Linux kernel's hid-appletb-kbd driver results from calling a mutex-acquiring function from softirq and IRQ atomic contexts on Apple Touch Bar MacBooks running Linux. Authenticated local attackers with low privileges can trigger a kernel BUG by inducing Touch Bar inactivity or generating HID events that exercise the broken brightness-reset path, crashing the system. No public exploit has been identified and EPSS is 0.02% (4th percentile), reflecting the niche hardware requirement; patches are available in kernel versions 6.18.32, 7.0.9, and 7.1-rc4.

Technical ContextAI

The hid-appletb-kbd driver manages the autodim backlight timer for the Apple Touch Bar. Two code paths - appletb_inactivity_timer() (a struct timer_list callback, running in Linux softirq context) and reset_inactivity_timer() (called from USB URB completion and input-event dispatch, also in softirq/IRQ context) - both invoke backlight_device_set_brightness(), which internally calls mutex_lock() on backlight_device->ops_lock. The Linux kernel forbids sleeping (blocking) operations such as mutex acquisition inside atomic contexts (softirq, hardirq), and this violation triggers the kernel's __might_resched/__might_sleep instrumentation, producing a BUG and potentially crashing the system. The fix converts the inactivity timer from struct timer_list to struct delayed_work (which defers execution to process context via the system workqueue, where mutex_lock() is legal) and introduces a dedicated struct work_struct for brightness restoration. No formal CWE is assigned, but the root cause class is improper locking / sleep-while-atomic, analogous to CWE-667 (Improper Locking). CPE data confirms the affected product as cpe:2.3:o:linux:linux_kernel across multiple stable and release-candidate branches.

RemediationAI

The primary remediation is to upgrade the Linux kernel to version 6.18.32, 7.0.9, or 7.1-rc4 (or any later stable release), which incorporate the workqueue-based fix via upstream commits 1654e53349d4e657b331de354313461f401f5063, 2473a334c292af257ef68e33bc7760f4a8251812, and 5c0830323689ef15224f0025276176988861b3b0, available at https://git.kernel.org/stable/c/. Distribution maintainers (Debian, Ubuntu, Fedora, Arch, etc.) should be consulted for backport status in their respective kernel packages. As a compensating control on unpatched systems, unloading or blacklisting the hid-appletb-kbd module eliminates the vulnerable code path entirely: run 'modprobe -r hid-appletb-kbd' for an immediate effect, or add 'blacklist hid-appletb-kbd' to /etc/modprobe.d/ for persistence across reboots. The trade-off is loss of Touch Bar backlight autodim and keyboard brightness management functionality. This workaround has no security side effects beyond the loss of that feature. NVD advisory: https://nvd.nist.gov/vuln/detail/CVE-2026-46202.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise Desktop 15 SP7 Not-Affected
SUSE Linux Enterprise Desktop 15 SP7 Not-Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Not-Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Not-Affected

Share

CVE-2026-46202 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy